@scfc: Hmm, if this has been the situation for 17 months, what makes this so urgent that this task has "Unbreak Now!" priority?

Nemo_bis is a well known trusted person. While the other rights may be more appropriate, this should be resolved through normal channels as we have no reason to believe nemo would abuse his access or otherwise is a security risk.

@Aklapper: Because I set it to that priority. If you question or disagree with my action, please do so explicitly. Your choice of language is not helpful for a productive collaboration. (JFTR: 28 months.)

I don't doubt that Nemo_bis is well known and trusted, I do so myself; but there are a lot of well-known and trusted (by me) persons who are not admin on wikitech.wikimedia.org or do not have similar privileges in other venues because those rights aren't given out freely by WMF, and in this environment IMHO when someone appears to have/has rights that they should not have, this should be investigated and, when necessary, remedied immediately.

In T158315#3033425, @scfc wrote:

@Aklapper: Because I set it to that priority. If you question or disagree with my action, please do so explicitly. Your choice of language is not helpful for a productive collaboration. (JFTR: 28 months.)

I don't doubt that Nemo_bis is well known and trusted, I do so myself; but there are a lot of well-known and trusted (by me) persons who are not admin on wikitech.wikimedia.org or do not have similar privileges in other venues because those rights aren't given out freely by WMF, and in this environment IMHO when someone appears to have/has rights that they should not have, this should be investigated and, when necessary, remedied immediately.

Im not necessarily saying he should keep those rights (Personally id like to talk to parties involved before saying definitely he should lose them, but at first glance I agree with your assesment that contentadmin is more appropriate relative to his role). However, Unbreak now comes with the association of severe issue requiring immediate remedy (for example someone's account has been compromised by a known malicious person). This issue just isnt in that category.

In T158315#3033425, @scfc wrote:

@Aklapper: Because I set it to that priority. If you question or disagree with my action, please do so explicitly.

I won't, as I miss information. Hence I asked you why this "needs to be fixed immediately, setting anything else aside" (emphasis by mine) as the situation has been like this for 28 months.

Your choice of language is not helpful for a productive collaboration.

Feel free to tell me which language you would have preferred / how you would have phrased the question.

@Aklapper: Minimum diff is: "Hmm, if this has been the situation for 17 months, what makes this so urgent that you triaged this task has 'Unbreak Now!' priority?" I would probably have phrased: "Why do you think this needs to be 'Unbreak Now!" if the situation has been this way for 17 months with no apparent problems?" Or, if I had disagreed based on the available evidence: "I don't think this task needs to be 'Unbreak Now!" if the situation has been this way for 17 months with no apparent problems."

I'd like not to sound harsh, but this looked somewhat not fair to me. For starters the bug was filled as security issue and @Nemo_bis was not even aware of this discussion as he could not even see this ticket as he was not CCd. Just recently the security levels of this ticket has been changed to allow all registered users to see this. If there was any reason why this had not to be public and Nemo not being aware then my apologies and I'll keep my mouth shut.

That said, yes, contentadmin for maintenance is sufficient, but I'd have prefered that Nemo be heard first, and also noted that there are a lot of people on Wikitech with sysop and bureaucrat rights that might as well be in this same situation. Maybe those should also be reviewed as well.

Regards.

It was marked as a security issue because it was. It is not now because it has been resolved by removing the rights that are not needed for general vandal fighting (and thank you @Nemo_bis for helping with that!).

I looked over the rest of the admin list and made the same sysop -> contentadmin change for @TheDJ (granted by ori), @Matanya, @Legoktm, and @Bawolff (granted by me). I'm not opposed to any or all of these people getting sysop again if they have a demonstrable need for the additional rights.

I don't doubt it was a security issue, but @Nemo_bis should have been heard previously I think. In any case, I don't want to start a fight for this.

Please note that bureaucrats can grant sysop rights. Maybe we should amend that so they're allowed to add/remove contentadmin? Also, maybe shellmanagers should be able to remove shell (currently they only can add it).

Regards.

In T158315#3038288, @MarcoAurelio wrote:

I don't doubt it was a security issue, but @Nemo_bis should have been heard previously I think. In any case, I don't want to start a fight for this.

I have no wish for a fight either, but I'm curious as to how the logic follows to ask a fundamentally WP:BEANS question like "do you need the elevated rights we found you hold which could be used to compromise the operations/puppet.git repo?". It seems much more prudent to do what I did by removing the rights in question and then (indirectly I admit, and my apologies again for that @Nemo_bis) asking if they were actually needed.

Please note that bureaucrats can grant sysop rights. Maybe we should amend that so they're allowed to add/remove contentadmin? Also, maybe shellmanagers should be able to remove shell (currently they only can add it).

Giving 'crats the right to grant and remove contentadmin seems appropriate. A related question is whether 'crats should be able to grant sysop at all on wikitech.

I'm not actually sure that shellmanagers is needed at all anymore. At one point a user had to request the shell right before they could be added to a project, but this has been changed so that shell is automatically granted.

We should probably open follow up tickets about both of these potential configuration changes and then resolve them one way or another.

@bd808 With regards to your first point, I'd accede to that if @Nemo_bis weren't such a long-term and trusted contributor. I am aware of the sensitiviness of the Hiera and MediaWiki namespace on Wikitech. In any case, I repeat, I understand what you did and I don't want to start an argument with you :)

I agree with the followup tickets for right changes. Since you know how OpenStackManager works, etc. I'll let you decide what to do with the shellmanagers group. I though that w/o the "shell" permission you cannot "ssh" to tool-labs?

Thanks for letting me read this ticket. I note the description contains a valid rationale, which helps me understand the action:

for that purpose contentadmin is used because admin allows editing the MediaWiki: namespace

(Yes, after some wondering at Special:ListGroupRights I did think that maybe it had something to do with editinterface, but I shouldn't have to guess.)

I applaud the effort to clean up rights at wikitechwiki. I think https://wikitech.wikimedia.org/wiki/Special:ListUsers/sysop lists several people who probably need the flag (even) less than me; setting up a goal for the flag cleanup may help proceed in an orderly fashion (as opposed to quarrels over task priority, which don't seem especially useful).